The EU Reactivates Chat Control with a Legal Technicality: Is Private Message Scanning Back?
The Council of the European Union has reactivated, via written procedure, the legal mechanism that allows messaging platforms to voluntarily scan users' chats for child pornography material. The tool, known as Chat Control 1.0, expired last April 3 after failing to reach an agreement with the European Parliament on an extension. On Thursday, July 2, the member states approved a negotiating position that essentially recreates the same expired regime under the guise of a 'new' regulation.
Since 2020, internet communication services, from messaging apps to email to VoIP telephony, fall under the scope of the ePrivacy Directive, which protects the confidentiality of communications and prohibits unauthorized interception of content and metadata. In 2021, Brussels had introduced a temporary exemption to allow providers to cross-reference hashes and AI models against online sexual abuse and grooming of minors. That exemption stalled in spring, overwhelmed by the deadlock between the Council and Parliament over the broader Chat Control 2.0 file.
A peculiarity of the new file is that it aims to make scanning mandatory and indiscriminate even on encrypted communications. Here, the legal loophole comes into play. An already expired regulation cannot be formally extended; therefore, the Council chose the opposite route: to present a legislative proposal with almost identical content but a different form, thus circumventing the regulatory gap and simultaneously putting pressure on the MEPs.
Chat Control 2.0 and indiscriminate scanning on encrypted communications The text is expected to be on the agenda of the European Parliament as early as Tuesday, July 7, with a request for urgent procedure close to the summer break. If the chamber approves the acceleration, the vote risks taking place on the last day of the useful session, when a good portion of the parliamentarians have already left Brussels for vacation.
The dossier is already in second reading, a phase in which the Council's position can only be blocked or modified by an absolute majority vote of the chamber's members, not just those present in the hemicycle. A threshold that, just before the holidays, seems almost impossible to reach for those opposing the measure.
The Council assures that the scans will remain limited 'to what is strictly necessary' and that it is not a case of generalized and indiscriminate surveillance. However, the interference with the privacy of those using these services daily remains significant, given that the mechanism is based on the automatic analysis of private content without a pre-existing individual suspicion.
The new regulation includes a time constraint on data retention: analyzed content and traffic metadata must be irreversibly deleted within 12 months from detection, unless a concrete suspicion arises that warrants further investigation. Yet again, there is still a lack of a permanent and structured legal framework for combating online abuses, an objective that the negotiations on Chat Control 2.0 continue to postpone.